According to a study released this week by security research firm Comparitech, local and federal government entities have suffered 443 data breaches since 2014, with last year being the worst year on record. Researchers analyzed the last four years of government breaches – which included not just database breaches, but other electronic and even paper breaches. The study looked at stolen laptops, hard drives, and document mailing errors.
One of the key findings of the study was that from those 443 breaches, 168,962,628 records were compromised. Of the total breaches over the four-year period, 100 occurred in 2018 and involved 81,505,426 records. There were also 90 breaches in 2014 with 9,419,799 records involved.
While electronics breaches accounted for the majority of failings in securing data, according to the study, one-third of all breaches in 2014 involved paper data.
In many cases human error played a major factor in the breaches – mostly at the hands of phishing scams and other methods of social engineering. Surprisingly, other breaches occurred not because of an actual cyber attack, but something as simple as an email sent to the wrong recipient.
“Phishing is one such attack vector, but many of the breaches don’t involve any malicious intent at all,” said Paul Bischoff, privacy advocate and lead researcher on the study. “For example, bureaucratic errors often resulted in data unintentionally being sent to the wrong parties.”
Data Breaches by the numbers
According to the study, the top 10 largest data breaches of government entities by number of records exposed since 2014 included:
- U.S. Postal Service (DC) – 60,000,000 records – 2018
- Office of Personnel Management (DC) – 21,500,000 records – 2015
- California Secretary of State (CA) – 19,200,000 records – 2017
- Government Payment Service, Inc. (IN) – 14,000,000 records – 2018
- Georgia Secretary of State (GA) – 6,000,000 records – 2015
- Office of Child Support Enforcement (WA) – 5,000,000 records – 2016
- Office of Personnel Management (DC) – 4,200,000 records – 2015
- U.S. Postal Service (DC) – 3,650,000 records – 2014
- Los Angeles County 211 (CA) – 3,200,000 records – 2018
- Washington Department of Fishing and Wildlife (WA) – 2,435,452 – 2016
The study noted that the U.S. Postal Service (USPS) and Office of Personnel Management (OPM) appeared twice – as each breach is considered an individual incident. Comparitech also tracked the most breached government departments. While it noted that some departments and agencies are breached more frequently, this could be due to a combination of factors, including poor security, more attack vectors, higher value data, or simply a larger volume of data.
The Department of Health and Human Services was noted to have suffered 29 cases of breaches, which involved 174,547 records. This was found to be due to human error, which included the mailing of information to the wrong address or information inadvertently posted online – but it also included hacking, laptop theft, and in one case, two employees stole information to file fraudulent tax returns.
There were also 33 cases involving 113,786 records that were compromised with the Department of Veterans Affairs – and several of these cases involved veterans’ data being incorrectly dumped without being shredded first or simply being left in public places.
DatA Breaches by Region
Washington, D.C. had 37 cases with 95,166,900 affected records in the four-year period. The nation’s capital had four of the largest breaches including those affected by the USPS breach in 2018 as well as the other in 2014; and the two OPM breaches.
In addition there was the 2019 Federal Emergency Management Agency (FEMA) breach in 2019, where data on disaster victims was accidentally released to a contractor that did not require the information. There was also the 2014 breach involving the Internal Revenue Service (IRS), which occurred when contractors with insufficient background checks were found to be dealing with millions of sensitive records.
Several states have seen more than their fair share of breaches. This includes California, with a total of 57 cases involving 24,299,303 records; while Texas has had 25 breaches with 3,423,326 records; and Ohio with 17 cases and 914,474 records.
In some cases, states that have had fewer breaches have still seen many records exposed according to the study. This included Alabama, which had just five cases of breaches, yet 1,397,389 records were affected. Kentucky had only three cases, but it had 2,2127,457 records affected. Kentucky’s Department of Fish and Wildlife was the target of a hacker who actually compromised data in four state websites in 2016 – 2,125,449 of the total records.
What Does the Future Hold?
With more and more data to secure, the problem could get worse before it gets better, warned Bischoff.
“As we store more data online and make that data accessible to people over the internet, hackers and criminals will also have more attack vectors,” he told ClearanceJobs. “There’s not much you can do as an individual to protect your data once it’s in someone else’s hands,” added Bischoff. “The best way to keep your data private is to abstain from giving it up in the first place. But with the government, that’s not always possible.”
Even in stronger encryption may not be the best solution.
“In most instances, only critical data – credit card numbers, passwords, SSNs – are encrypted,” Bischoff explained. “Other data is stored in plain text. Encryption requires a fair amount of time and computing power, so encrypting everything isn’t always feasible. Encryption alone isn’t enough. Access control and operational security also play big roles. Seeing how often government data breaches result from non-malicious human error, it seems an investment in operational security would be wise.”